Buffer Overflow vulnerability in PHP

June 19, 2015

Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP allows remote FTP servers to execute arbitrary code via a long reply to a LIST command, leading to a heap-based buffer overflow CVE-2015-4022.

The vulnerability is exploited by the attacker as follows :
The target server connects to the attacker's FTP server when the attacker visits the vulnerable page. Target server sends LIST command to attacker's FTP server.

Attacker's FTP server sends malicious response to the target.

As seen in the code,if the response(which is stored in the tempfile) is more than 2^32 then loops at line 1839 and 1841 will overflow. The function ftp_genlist() then uses these overflown variables to calculate the size and allocate a heap buffer. The entire contents of temporary file are then copied to the undersized heap buffer, resulting in a heap buffer overflow at line 1862. This could lead to PHP application crash or arbitrary code execution.

Dell SonicWALL Threat Research Team has researched this vulnerability and released following signature to protect their customers.

  • IPS 4902: Server Application Shellcode Exploit 20